Change Realm configuration in the default conf/server.xml
file to use a org.apache.catalina.realm.LockOutRealm.
The LockOutRealm is available since 6.0.19, but has
not been configured by default. (kkolinko)

Update the packaged version of the Tomcat Native Library to 1.2.12 to
pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)

Update the NSIS Installer used to build the Windows installer to version
3.01. (markt)

Refactor the build script and the NSIS installer script so that either
NSIS 2.x or NSIS 3.x can be used to build the installer. This is
primarily to re-enable building the installer on the Linux based CI
system where the combination of NSIS 3.x and wine leads to failed
installer builds. (markt)

55017: Add the ability to configure the RMI bind address when
using the JMX remote listener. Patch provided by Alexey Noskov. (markt)

56039: Enable the JmxRemoteLifecycleListener to work over
SSL. Patch by esengstrom. (markt)

56096: When the attribute rmiBindAddress of the
JMX Remote Lifecycle Listener is specified it's value will be used when
constructing the address of a JMX API connector server. Patch is
provided by Jim Talbut. (markt)

57377: Remove the restriction that prevented the use of SSL
when specifying a bind address with the JMXRemoteLifecycleListener. Also
enable SSL to be configured for the registry as well as the server.
(markt)

59123: Close NamingEnumeration objects used by
the JNDIRealm once they are no longer required.
(fschumacher/markt)

59138: Correct a false positive warning for ThreadLocal
related memory leaks when the key class but not the value class has been
loaded by the web application class loader. (markt)

59269: Correct the implementation of
PersistentManagerBase so that minIdleSwap
functions as designed and sessions are swapped out to keep the active
session count below maxActiveSessions. (markt)

59247: Preload ResourceEntry as a workaround for security
manager issues on some JVMs. (kkolinko/remm)

59310: Do not add a Content-Length: 0 header for
custom responses to HEAD requests that do not set a
Content-Length value. (markt)

59449: In ContainerBase, ensure that the process
to remove a child container is the reverse of the process to add one.
Patch provided by Huxing Zhang. (markt)

RMI Target related memory leaks are avoidable which makes them an
application bug that needs to be fixed rather than a JRE bug to work
around. Therefore, start logging RMI Target related memory leaks on web
application stop. Add an option that controls if the check for these
leaks is made. Log a warning if running on Java 9 with this check
enabled but without the command line option it requires. (markt)

59708: Modify the LockOutRealm logic. Valid authentication
attempts during the lock out period will no longer reset the lock out
timer to zero. (markt)

By default, treat paths used to obtain a request dispatcher as encoded.
This behaviour can be changed per web application via the
dispatchersUseEncodedPaths attribute of the Context.
(markt)

Provide a mechanism that enables the container to check if a component
(typically a web application) has been granted a given permission when
running under a SecurityManager without the current execution stack
having to have passed through the component. Use this new mechanism to
extend SecurityManager protection to the system property replacement
feature of the digester. (markt)

When retrieving an object via a ResourceLink, ensure that
the object obtained is of the expected type. (markt)

Switch the CGI servlet to the standard logging mechanism and remove
support for the debug attribute. (markt)

Add a new initialisation parameter, envHttpHeaders, to
the CGI Servlet to mitigate httpoxy
(CVE-2016-5388) by default and to provide a mechanism that can be
used to mitigate any future, similar issues. (markt)

When adding and removing ResourceLinks dynamically, ensure
that the global resource is only visible via the
ResourceLinkFactory when it is meant to be. (markt)

Make timing attacks against the Realm implementations harder.
(schultz/markt)

Ensure Digester.useContextClassLoader is considered in
case the class loader is used. (violetagg)

60151: Improve the exception error messages when a
ResourceLink fails to specify the type, specifies an
unknown type or specifies the wrong type. (markt)

Correct basePackage and PrivilegedFindResourceByName
in SecurityClassLoad so that tomcat can
successfully start with the Security Manager enabled. (csutherl)

Improve the access checks for linked global resources to handle the case
where the current class loader is a child of the web application class
loader. (markt)

58646: Correct a problem with sendfile that resulted in a
Processor being added to the cache twice leading to broken responses.
(markt)

Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to
those currently considered secure. (markt)

Add a new environment variable JSSE_OPTS that is intended
to be used to pass JVM wide configuration to the JSSE implementation.
The default value is -Djdk.tls.ephemeralDHKeySize=2048
which protects against weak Diffie-Hellman keys. (markt)

58283: Change the default download location for libraries
during the build process from /usr/share/java to
${user.home}/temp. Patch provided by Ahmed Hosni. (markt)

59031: When using the Windows uninstaller, do not remove the
contents of any directories that have been symlinked into the Tomcat
directory structure. (markt)

Modify the default tomcat-users.xml file to make it harder
for users to configure the entries intended for use with the examples
web application for the Manager application. (markt)

59280: Update the NSIS Installer used to build the
Windows Installers to version 2.51. (kkolinko)

58626: Add support for a new environment variable
(USE_NOHUP) that causes nohup to be used when
starting Tomcat. It is disabled by default except on HP-UX where it is
enabled by default since it is required when starting Tomcat at boot on
HP-UX. (markt)

Use the mirror network rather than the ASF master site to download the
current ASF dependencies. (markt)

Update the packaged version of the Tomcat Native Library to 1.2.10 to
pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)

Back-port various improvements to the AprLifecycleListener
including the fix for 57021 that improves logging when the
Tomcat-Native DLL fails to load. (markt)

57154: Add support for web applications (Context elements)
that do not have a docBase. This is intended for use when embedding,
such as Tomcat unit tests, when a web application is configured
programmatically and does not serve any files. Based on a patch
provided by Huxing Zhang. (kkolinko)

57741: Enable the CGI servlet to use the standard error page
mechanism. Note that if the CGI servlet's debug init parameter is
set to 10 or higher then the standard error page mechanism will be
bypassed and a debug response generated by the CGI servlet will be
returned instead. (markt)

57896: Support defensive copying of "cookie" header so that
unescaping double quotes in a cookie value does not corrupt original
value of "cookie" header. This is an opt-in feature, enabled by
org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER
or org.apache.catalina.STRICT_SERVLET_COMPLIANCE
system property. (kkolinko)

58031: Make the (first) reason parameter parsing failed
available as a request attribute and then use it to provide a better
status code via the FailedRequstFilter (if configured). (markt)

58508: Escape role names when generating associated MBeans in
case the role name contains characters not permitted in an MBean name.
(markt)

58582: Combined realm should perform background processing
on its sub-realms. Based upon a patch provided by Aidan. (kkolinko)

Move the functionality that provides redirects for context roots and
directories where a trailing / is added from the Mapper to
the DefaultServlet. This enables such requests to be
processed by any configured Valves and Filters before the redirect is
made. This behaviour is configurable via the
mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled attributes of the Context
which may be used to restore the previous behaviour. (markt)

58635: Enable break points to be set within agent code when
running Tomcat with a Java agent. Based on a patch by Huxing Zhang.
(markt)

Add the StatusManagerServlet to the list of Servlets that
can only be loaded by privileged applications. (markt)

Remove redundant copy of catalina.properties from o.a.c.startup.
Generate this copy during the ant "compile" task. (kkolinko)

58817: Fix ArrayIndexOutOfBoundsException
caused by MapperListener when ROOT context is being
undeployed and mapperContextRootRedirectEnabled="false". (kkolinko)

58836: Correctly merge query string parameters when
processing a forwarded request where the target includes a query string
that contains a parameter with no value. (markt/kkolinko)

Allow singleton server instance stored by ServerFactory
to be cleared.
Allow ResourceLinkFactory to be initialized more than once.
This is used by unit tests when running several copies of Tomcat
sequentially in the same JVM.
When running with a SecurityManager the initialization method of
ResourceLinkFactory is protected by requiring a
RuntimePermission. (kkolinko)

Extend the feature available in the cluster session manager
implementations that enables session attribute replication to be
filtered based on attribute name to all session manager implementations.
Note that configuration attribute name has changed from
sessionAttributeFilter to
sessionAttributeNameFilter. Apply the filter on load as
well as unload to ensure that configuration changes made while the web
application is stopped are applied to any persisted data. (markt)

Extend the session attribute filtering options to include filtering
based on the implementation class of the value and optional
WARN level logging if an attribute is filtered. These
options are available for all of the Manager implementations that ship
with Tomcat. When a SecurityManager is used filtering will
be enabled by default. (markt)

Correct typo in the message shown by HttpServlet for unexpected
HTTP method. (kkolinko)

Allow to configure RemoteAddrValve and RemoteHostValve to
adopt behavior depending on the connector port. Implemented
by optionally adding the connector port to the string compared
with the patterns allow and deny. Configured
using addConnectorPort attribute on valve. (rjung)

56608: Fix IllegalStateException for JavaScript files when
switching from Writer to OutputStream. The special handling of this case
in the DefaultServlet was broken due to a MIME type change for
JavaScript. (markt)

CVE-2014-0230: Add a new system property
org.apache.coyote.MAX_SWALLOW_SIZE (defaults to 2MB)
that limits amount of data Tomcat will swallow if request body
has not been fully read during normal request processing, e.g.
for an aborted upload. (Note: in Tomcat 7 and later this feature is
configured by maxSwallowSize attribute on a connector).
When applying the limit to a connection try to read that many bytes
first before closing the connection to give the client a chance to
read the response.
(markt)

57544: Fix a potential infinite loop when preparing a kept
alive HTTP connection for the next request. (markt)

57570: Make the processing of chunked encoding trailing
headers optional and disabled by default. (markt)

54143: Add display of the memory pools usage (including
PermGen) to the Status page of the Manager web application. (kkolinko)

Fix several issues with status.xsd schema in Manager web
application, testing it against actual output of StatusTransformer
class. (kkolinko)

Align algorithm that generates anchor names in Tomcat documentation
with Tomcat 7/8/9. No visible changes, but may help with future
updates to the documentation. (kkolinko)

56058: Add links to the AccessLogValve documentation for
configuring reverse proxies and/or Tomcat to ensure that the desired
information is used entered in the access log when Tomcat is running
behind a reverse proxy. (markt)

57503: Make clear that the JULI integration for log4j only
works with log4j 1.2.x. (markt)

57706: Clarify the documentation for the AJP connector to
make clearer that when using
tomcatAuthentication="false" the user provided by
the reverse proxy will not be associated with any roles. (markt)

Correct the documentation for deployOnStartup to make clear that if a
WAR file is updated while Tomcat is stopped and unpackWARs is true,
Tomcat will not detect the changed WAR file when it starts and will not
replace the unpacked WAR file with the contents of the updated WAR.
(markt)

57759: Add information to the keyAlias documentation to make
it clear that the order keys are read from the keystore is
implementation dependent. (markt)

57864: Update the documentation web application to make it
clearer that hex values are not valid for cluster send options. Based on
a patch by Kyohei Nakamura. (markt)

Fix CVE-2014-0227:
Various improvements to ChunkedInputFilter including clean-up, i18n for
error messages and adding an error flag to allow subsequent attempts at
reading after an error to fail fast. (markt)

56606: When creating tomcat-users.xml in the
Windows Installer, use the new attribute name for the name of the user.
(markt)

56829: Add the ability for users to define their own values
for _RUNJAVA and _RUNJDB environment
variables. Be more strict with executable filename on Windows
(s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)

56608: When deploying an external WAR, add watched resources
in the expanded directory based on whether the expanded directory is
expected to exist rather than if it does exist.

When triggering a reload due to a modified watched resource, ensure
that multiple changed watched resources only trigger one reload rather
than a series of reloads.

56236: Enable Tomcat to work with alternative Servlet and
JSP API JARs that package the XML schemas in such as way as to require
a dependency on the JSP API before enabling validation for web.xml.
Tomcat has no such dependency. (markt)

Change the default value of the xmlBlockExternal attribute
of Context elements. It is now true. (kkolinko)

Don't log to standard out in SSLValve. (kkolinko/markt)

Use StringBuilder in DefaultServlet. (kkolinko)

56275: Allow web applications to be stopped cleanly even if
filters throw exceptions when their destroy() method is called.
(markt/kkolinko)

Fix CVE-2014-0096:
Redefine the globalXsltFile initialisation parameter of the
DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf.
Prevent user supplied XSLTs used by the DefaultServlet from defining
external entities. (markt)

Add a work around for validating XML documents (often TLDs) that use
just the file name to refer to refer to the JavaEE schema on which they
are based. (kkolinko)

56369: Ensure that removing an MBean notification listener
reverts all the operations performed when adding an MBean notification
listener. (markt)

Restore the validateXml option to Jasper that was previously renamed
validateTld. Both options are now supported. validateXml controls the
validation of web.xml files when Jasper parses them and validateTld
controls the validation of *.tld files when Jasper parses them. (markt)

56283: Add support for running Tomcat 6 with
ecj-P20140317-1600.jar (as drop-in replacement for ecj-4.3.1.jar). Add
support for value "1.8" for the compilerSourceVM and
compilerTargetVM options. Note that ecj-P20140317-1600.jar
can only be used when running with Java 6 or later. The "1.8" options
make sense only when running with Java 8 (or later). (kkolinko)

56334: Fix a regression in the handling of back-slash
escaping introduced by the fix for 55735. (markt/kkolinko)

Correct the handling of back-slash escaping in the EL parser and no
longer require that \$ or \# must be followed
by { in order for the back-slash escaping to take effect.
(markt)

Improvements to the Windows installer, to align it with installing
the service with service.bat. Use explicit memory sizes
(--JvmMs 128 Mb and --JvmMx 256 Mb). Specify log directory path
when ininstalling, so that the log file is written to the Tomcat logs
directory, instead of "%SystemRoot%\System32\LogFiles\Apache".
(kkolinko)

49993, 56143: Improve service.bat
script. Allow it to be launched from non-UAC console. The UAC prompt
will be shown only once. Now there is no need to run the command shell
with elevated privileges. Improve check for JAVA_HOME
and add support for JRE_HOME. Warn if neither "client"
nor "server" JVM is found. Align classpath, display name and other
options with the exe installer. Make command names
case-insensitive. Update documentation. (kkolinko)

Correctly associate the default resource bundle with the English locale
so that requests that specify an Accept-Language of English ahead of
French, Spanish or Japanese get the English messages they asked for.
(markt)

Add missing JavaEE 5 XML schema definitions. (markt)

When Catalina parses TLD files, always use a namespace aware parser to
be consistent with how Jasper parses TLD files. The
tldNamespaceAware attribute of the Context is now ignored.
(markt)

As per section SRV.14.4.3 of the Servlet 2.5 specification, a namespace
aware, validating parser will be used when processing *.tld
and web.xml files if the system property
org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set to
true. (markt)

Fix CVE-2014-0033:
Ensure that sessions IDs are not parsed from URLs for Contexts where
disableURLRewriting is true. (markt)

Fix CVE-2013-4590:
Add an option to the Context to control the blocking of XML external
entities when parsing XML configuration files and enable this blocking
by default when a security manager is used. The block is implemented via
a custom resolver to enable the logging of any blocked entities. (markt)

56016: When loading resources for XML schema validation, take
account of the possibility that servlet-api.jar and jsp-api.jar may not
be loaded by the same class loader. Patch by Juan Carlos Estibariz.
(markt)

54691: Add configuration attribute "sslEnabledProtocols"
to HTTP connector and document it. (Internally this attribute has
been already implemented but not documented, under names "protocols"
and "sslProtocols". Those names of this attribute are now deprecated).
(schultz)

54947: Fix the HTTP NIO connector that incorrectly rejected a
request if the CRLF terminating the request line was split across
multiple packets. Patch by Konstantin Preißer. (markt)

55198: Ensure attribute values in tagx files that include EL
and quoted XML characters are correctly quoted in the output. (markt)

55671: Consistently use the configuration option name
genStringAsCharArray rather than a mixture of
genStrAsCharArray and genStringAsCharArray but
retain support for genStrAsCharArray as in initialisation
parameter for the JSP servlet to retain backwards compatibility with
existing configurations. (markt)

55691: Fix javax.el.ArrayELResolver to correctly
handle the case where the base object is an array of primitives. (markt)

55973: Fix processing of XML schemas when validation is
enabled in Jasper. (kkolinko)

54220: Ensure the ErrorReportValve only generates an error
report if the error flag on the response has been set. (markt)

Fix memory leak of servlet instances when running with a
SecurityManager and either init() or destroy() methods fail
or the servlet is a SingleThreadModel one, and of filter instances
if their destroy() method fails with an Error. (kkolinko)

54382: Fix NPE when SSI processing is enabled and an empty
SSI directive is present. (markt)

54483: Correct one of the Spanish translations. Based on a
suggestion from adinamita. (kkolinko)

Add sample Apache Commons Daemon JSVC wrapper script bin/daemon.sh that
can be used with /etc/init.d. (kkolinko)

In the build configuration: introduce property "tomcat.output" that is
used to specify location of the build output directory. This simplifies
configuration if someone wants to move the output directory
elsewhere (e.g. out of the source tree). (kkolinko)

50306: New StuckThreadDetectionValve to detect requests that
take a long time to process, which might indicate that their processing
threads are stuck. Based on a patch provided by TomLu. (kkolinko)

50570: Enable FIPS mode to be set in AprLifecycleListener.
Based upon a patch from Chris Beckey. Note that this mode requires
tomcat-native 1.1.23 or later linked to a FIPS-capable OpenSSL library,
which one has to build by themselves. (schultz/kkolinko)

Improve synchronization and error handling in AprLifecycleListener.
Do not allow to change SSL options if SSL has already been initialized.
(schultz/kkolinko)

52293: Correctly handle the case when
antiResourceLocking is enabled at the Context level when
unpackWARs is disabled at the Host level. Correctly
handle multi-level contexts when antiResourceLocking
is enabled. Patch by Justin Miller. (kkolinko)

Do not throw IllegalArgumentException from parseParameters() call
when chunked POST request is too large, but treat it like an IO error.
The FailedRequestFilter filter can be used to detect this
condition. (kkolinko)

52384: Do not fail with parameter parsing when debug logging
is enabled. (kkolinko)

Do not flag extra '&' characters in parameters as parse errors.
(kkolinko)

52488: Correct typos: exipre -> expire. Based on a patch by
prockter. (markt)

52719: Fix a theoretical resource leak in the JAR validation
that checks for non-permitted classes in web application JARs. (markt)

52830: Correct JNDI lookups when using
javax.naming.Name to identify the resource rather than a
java.lang.String. (markt)

52850: Extend memory leak prevention and detection code to
work with IBM as well as Oracle JVMs. Based on a patch provided by
Rohit Kelapure. (kkolinko)

52996: In StandardThreadExecutor:
Add the ability to configure a job queue size
(maxQueueSize attribute).
Add a variant of execute method that allows to specify a timeout for
how long we want to try to add something to the queue.
Based on a patch by Rüdiger Plüm. (kkolinko)

53047: If a JDBCRealm or DataSourceRealm is configured for
an all roles mode that only requires authorization (and no roles) and no
role table or column is defined, don't populate the Principal's roles.
(markt/kkolinko)

53071: Use the message from the Throwable for the error
report generated by the ErrorReportValve if none was
specified via sendError(). Use the standard text for HTTP
error codes. (markt/rjung)

53230: Change session managers to throw
TooManyActiveSessionsException instead of IllegalStateException
when the maximum number of sessions has been exceeded and a new
session will not be created. (schultz/kkolinko)

53267: Ensure that using the GC Daemon Protection feature of
the JreMemoryLeakPreventionListener does not trigger a
full GC every hour. (markt/kkolinko)

53531: Fix ExpandWar.expand to check the return value of
File.mkdir and File.mkdirs. (schultz)

Make the CSRF nonce cache in CsrfPreventionFilter
serializable so that it can be replicated across a cluster and/or
persisted across Tomcat restarts. (markt)

53584: Ignore path parameters when comparing URIs for FORM
authentication. This prevents users being prompted twice for passwords
when logging in when session IDs are being encoded as path parameters.
(markt)

CVE-2012-3439:
Various improvements to the DIGEST authenticator including
52954, the disabling caching of an authenticated user in the
session by default, tracking server rather than client nonces and better
handling of stale nonce values. (markt)

Implement maxHeaderCount attribute on Connector.
It is equivalent of LimitRequestFields directive of
Apache HTTPD.
Default value is 100. (kkolinko)

In JkCoyoteHandler connector for AJP/1.3 protocol
(in JkMain.setProperty()):
Fix setting of properties when connector has already started for
properties that have aliases. E.g. it now allows to change
maxHeaderCount attribute on Connector MBean via JMX.
(kkolinko)

Update the native component of the APR/native connectors to 1.1.23
and take advantage of the simplified distribution. (kkolinko)

When building a Windows installer do not copy whole "res" folder to
output/dist, but only the files that we need. Apply fixcrlf filter
only after the files are copied, so that INSTALLLICENSE
file had correct line ends. (kkolinko)

Remove res/License.rtf. The file that is actually shown
by the Windows installer is res/INSTALLLICENSE.
(kkolinko)

Improve RUNNING.txt. (kkolinko)

Align the script that deploys Maven jars for Tomcat
(res/maven/mvn-pub.xml) with the Tomcat 7 version,
making full use of Nexus. (markt)

53034: Add project.url and
project.licenses sections to the POMs for the Maven
artifacts. (kkolinko)

53454: Return correct content-length header for HEAD requests
when content length is greater than 2GB. (markt)

51758: The digester (used for processing XML files) used the
logger name org.apache.commons.digester.Digester rather
than the expected org.apache.tomcat.util.digester.Digester.
The digester has been changed to use the expected logger name.
(kkolinko)

51862: Added a classesToInitialize attribute to
JreMemoryLeakPreventionListener to allow pre-loading of configurable
classes to avoid some classloader leaks. (slaurent)

51872: Ensure that the access log always uses the correct
value for the remote IP address associated with the request and that
requests with multiple errors do not result in multiple entries in
the access log. (markt)

Allow to overwrite the check for distributability
of session attributes by session implementations. (rjung)

Provide the log format "OneLineFormatter" for JULI that provides the same
information as the default plus thread name but on a single line.
(markt/rjung)

Ensure that the memory leak protection for the HttpClient keep-alive
always operates even if the thread has already stopped. (markt)

51940: Do not limit saving of request bodies during FORM
authentication to POST requests since any HTTP method may include a
request body. Based on a patch by Nicholas Sushkin. (kkolinko)

In GenericPrincipal, SerializablePrincipal: Do not sort lists of roles
that have only one element. (kkolinko)

Make configuration issue for CsrfPreventionFilter result in the
failure of the filter rather than just a warning message. (kkolinko)

Ensure changes to the configuration of RemoteAddrValve and
RemoteHostValve via JMX are thread-safe. (kkolinko)

Make configuration issue for RemoteAddrValve and
RemoteHostValve result in the failure of the valve rather than
just a warning message. (kkolinko)

In RequestFilterValve (RemoteAddrValve,
RemoteHostValve): refactor value matching logic into
separate method and expose this new method isAllowed
through JMX. (kkolinko)

Improve performance of parameter processing for GET and POST requests.
Also add an option to limit the maximum number of parameters processed
per request. This defaults to 10000. Excessive parameters are ignored.
Note that FailedRequestFilter can be used to reject the
request if some parameters were ignored. (markt/kkolinko)

New filter FailedRequestFilter that will reject a request
if there were errors during HTTP parameter parsing. (kkolinko)

New cluster manager attribute sessionAttributeFilter
allows to filter which session attributes are replicated using a
regular expression applied to the attribute name. (rjung)

Avoid an unnecessary session ID change notice.
Notice of changed session ID by JvmRouteBinderValve is unnecessary to
BackupManager. In BackupManager, change of session ID is replicated by
the call of a setId() method. (kfujino)

Create a directory for access log or error log (in AccessLogValve and
in JULI FileHandler) automatically when it is specified as a part of
the file name, e.g. in the prefix attribute. Earlier this
happened only if it was specified with the directory
attribute. (kkolinko)

Improve handling of URLs with path parameters and prevent incorrect 404
responses that could occur when path parameters were present.
The method getRequestURI() was fixed to comply with
specification (chapter SRV.3.1 of Servlet Spec. 2.5, javadoc) and now
returns original request URI line from a HTTP request including any
path parameters (such as jsessionid). See issues 51833 and
53584.
(kkolinko/markt)

36362: Handle the case where tag file attributes (which can
use any valid XML name) have a name which is not a Java identifier.
(markt)

47371: Correctly coerce the empty string to zero when used as
an operand in EL arithmetic. Patch provided by gbt. (markt)

50726: Ensure that the use of the genStringAsCharArray does
not result in String constants that are too long for valid Java code.
(markt)

50895: Don't initialize classes created during the
compilation stage. (markt)

51124: Make Tomcat more robust if an OOME occurs. Usually
after an OOME all bets are off but this change appears to help some
users and the description of a 'recoverable' OOME in the bug
is a plausible one. Based on a patch by Ramiro. (markt)

Correct possible threading issue in JSP compilation when development
mode is used. (markt)

51220: Add a system property to enable tag pooling with JSPs
that use a custom base class. Based on a patch by Dan Mikusa. (markt)

Broaden the exception handling in the EL Parser so that more failures to
parse an expression include the failed expression in the exception
message. Hopefully, this will help track down the cause of
51088. (markt)

Clarify error messages in *.sh files to mention that if a script is
not found it might be because execute permission is needed. (kkolinko)

33262, 40510, 50949, 51135:
Various improvements to the Windows installer to be able to install
several copies of Tomcat 6 side by side. Allow to configure service
name, connector and shutdown ports. Allow to choose whether to install
Start menu shortcuts and Apache Tomcat monitor application for all
users or for the current one only. Improve auto-detection of JAVA_HOME
for 64-bit Windows platforms: autoselect 32-bit JRE if it exists and
64-bit one is not available. Improve server.xml file handling.
Fix uninstallation icon. (markt/kkolinko)

50854: Add additional entries to the default catalina.policy
file to support running the manager web application from CATALINA_HOME
or CATALINA_BASE. (markt)

Update default download sources to use the central Apache Maven 2
repository as some libraries have been removed from the central Apache
Maven 1 repository. (kkolinko)

50606: Improve CGIServlet: Provide support for specifying
empty value for the executable init-param. Provide support
for explicit additional arguments for the executable. Those were
broken when implementing fix for bug 49657. (kkolinko)

50620: Stop exceptions that occur during
Session.endAccess() from preventing the normal completion
of Request.recycle(). (markt)

50556: Improve JreMemoryLeakPreventionListener to prevent
a potential class loader leak caused by a thread spawned when the class
com.sun.jndi.ldap.LdapPoolManager is initialized and the
system property com.sun.jndi.ldap.connect.pool.timeout is
set to a value greater than 0. (slaurent)

50642: Move the sun.net.www.http.HttpClient
keep-alive thread memory leak protection from the
JreMemoryLeakPreventionListener to the WebappClassLoader since the
thread that triggers the memory leak is created on demand. (markt)

49497: Stop accepting new requests (inc keep-alive) once the
BIO connector is paused and the current request has finished processing.
(markt)

49521: Disable scanning for a free port in Jk AJP/1.3
connector by default. Do not change maxPort field value of ChannelSocket
in its setPort() and init() methods. Add
support for maxPort attribute on a Connector
element as a synonym for channelSocket.maxPort. (kkolinko)

49625: Ensure Vary header is set if response may be
compressed rather than only setting it if it is compressed. (markt)

49730: Fix race condition in StandardThreadExecutor that can
lead to long delays in processing requests. Patch provided by Sylvain
Laurent. (markt)

49860: Add support for trailing headers in chunked HTTP
requests. The header length is limited to 8192 by default and the limit
can be changed via a system property. (markt/kkolinko)

49343: When ChannelException is thrown, remove listener from
channel. (kfujino)

Add Null check when CHANGE_SESSION_ID message received. (kfujino)

When a cluster node disappears when using the backup manager, handle the
failed ping message rather than propagating the exception (which just
logs the stack trace but doesn't do anything to deal with the failure).
(markt)

Configure the Manager web application to use the new CSRF protection. To
take advantage of this protection, the manager role must be
removed from all users and the new manager-gui and
manager-script roles used instead. (markt)

Configure the Host Manager web application to use the new CSRF
protection. To take advantage of this protection, the admin role
must be removed from all users and the new admin-gui and
admin-script roles used instead. (markt)

50303: Update JNDI how-to to reflect new JavaMail and JAF
download locations and that JAF is now included in Java SE 6. (markt)

Numerous improvements to the Windows installer: update install/uninstall
icons, create an installation log, allow 32-bit JVMs to be selected when
installing on a 64-bit platform, replace the .ini files with the script
equivalents, use the new manager and host-manager roles, provide the
ability to edit the roles for the added user, add support for the
/? command line switch, clean up fully after installation,
add DetailPrint statements for operations that may take time and
improve the descriptions of the components. (kkolinko, mturk, markt)

Close security hole in unreleased 6.0.25 by ensuring new find leaks
functionality is protected by a security constraint. (kkolinko)

48831: Improve logging shutdown behaviour. Use Catalina's
shutdown hook to shutdown JULI. This enables them to be shutdown in the
correct order. Do not shutdown global handlers several times.
(markt/kkolinko)

48371: Ensure generated servlet mappings are inserted at the
correct location when using JspC and allow the option that controls this
to be configured on the command line. Also allow the encoding of web.xml
to be configured when using JspC and deprecate some unused JspC methods.
(markt/kkolinko)

48726: Prevent OOME when uploading large WAR files with the
deployer. Patch provided by adam. (markt)

Improve memory leak protection by safely stopping threads started via
java.util.Timer that an application starts but fails to
stop and by clearing references retained due to the use of
java.util.ResourceBundle. (markt)

48616: Don't declare or synchronize scripting variables for
JSP fragments since they are scriptless. This is an alternative fix for
42390 that avoids both the original problem and the
regression in the first fix. (kkolinko)

48421: Fix file descriptor and potential memory leak when a
web application uses a local logging.properties file. Allow a web
application's log files to be deleted once the web application has been
stopped. (markt)

Log errors if a web application starts a thread but fails to stop the
thread when the web application stops or is reloaded. Failure to stop a
thread is very likely to result in a memory leak. (markt)

Provide an option to stop any threads a web application starts but fails
to stop when the web application stops or is reloaded. Using this option
is very likely to result in instability and should be viewed as a last
resort in development and is not recommended at all in production.
(markt)

Log errors if a web application creates a ThreadLocal but fails to clear
it when the web application stops or is reloaded. Failure to clear a
ThreadLocal is very likely to result in a memory leak. (markt)

Clear any unintentional references remaining in
sun.rmi.transport.Target when the web application stops or
is reloaded. Failure to clear these is very likely to result in a memory
leak. (markt)

47316: Allow different values for Service name and Engine
name. This corrects a regression introduced by the fix for
42707. (markt)

47343: Editing context.xml for a directory should not delete
the directory. This was a regression caused by the fix for
42747. (markt)

47364: Improve Javadoc for
org.apache.catalina.connector.Request.getAttributeNames() to include
information on the handling of Tomcat's internal request attributes.
(markt)

47451: Don't throw an NPE if the various response.setHeader()
methods are called with null header name, zero length header name or
null value. Silently ignore the calls in the same way they are ignored
if the response has already been committed. (markt)

Update Apache Commons Pool from 1.4 to 1.5.4. This update includes
various fixes to prevent deadlocks, reduces synchronization and makes
object allocation occur fairly - i.e. objects are allocated to threads
in the order that the threads request them. This update fixes a number
of issues in Tomcat's built-in copy of DBCP. (markt)

Provide a new listener to protect against a memory leak caused by a
change in the Sun JRE from version 1.6.0_15 onwards. Also include
protection against locked JAR files, memory leaks triggered by
XML parsing and the GC Daemon. (markt)

Allow per instance configuration of JULI or log4j for core Tomcat
logging when using CATALINA_BASE. (markt/kkolinko)

Prevent NPE in JULI during shutdown when resources try to log messages
after JULI has been shutdown. (fhanik/kkolinko)

Make the JULI FileHandler easier to extend. (fhanik)

Make buffer size for FileHandler configurable. (fhanik)

Make JULI FileHandler thread safe. (fhanik)

Provide an option to disable buffering in the JULI FileHandler.
(kkolinko)

Ensure log messages are not lost on shutdown. (markt)

44679: Provide an option to allow the equals character in
unquoted cookie values. (markt)

Add support for a connectionTimeout parameter to the JNDIRealm. (markt)

Various (un)deployment related improvements including better handling of
failed (un)deployment, additional checking for valid zip entries that
don't make sense in a WAR and improved validation of WAR file names.
(markt)

Remove the code that auto-detects the value for compilerSourceVM,
compilerTargetVM options of Jasper, because we know that this version
of Tomcat cannot run on JDK 1.4 and thus the value is always "1.5".
(kkolinko)

Change default values for JDK version compliance options of JspC
(-source and -target when running from command line)
to be "1.5", to be the same as the ones used by Jasper servlet.
(kkolinko)

Make constants in the TagHandlerPool really constant. (markt)

When development mode is enabled and a JSP is deleted, ensure next
request for that JSP is consistent with the JSP having been removed.
(markt/kkolinko)

48019: Be more careful about skipping content that does not
need to be parsed. (markt)

Better handling of exception in JSP if parsed JSP source is not
available. (markt)

47824: Make Servlet API an optional dependency for JULI when
using Maven. (markt)

Add support for per instance (using $CATALINA_BASE) log4j.properties
files, JDBC drivers etc by adding ${catalina.base}/lib and
${catalina.base}/lib/*.jar to the start of the common loader class
path. (markt)

Correct CVE-2009-3548. When installed via the Windows installer and
using defaults, don't create an administrative user with a blank
password. Additionally, the administrative user is only created if the
manager or host-manager web applications are selected for installation.
(markt)

Further improvements to the administrative user name and password
handling in the Windows installer. (kkolinko)

Fix various edge-cases when parsing EL, particularly inside attribute
values. Note that the Expert Group has confirmed that JSP.1.6 takes
precedence over JSP.1.3.10. Therefore EL in attributes must be escaped
twice. (markt)

46047: Include the path to the JAR when recording
dependencies that are located inside a JAR file. Patch provided by
Cédric Mailleux. (markt)

46381: Composite expressions used for attribute values must
be coerced to Strings. (markt)

42750: Request line should be tolerant of multiple
whitespaces. (markt/fhanik)

42934: Change the order of events on context start so
contextInitialized() event is fired before
sessionDidActivate(). The spec isn't 100% clear on the
required order but this seems more logical than the current behaviour.
(markt)

43150: Allow Tomcat to start correctly when installed on a
path that contains a # character. (markt)

The fix for 43285 had the side-effect of coercing
null values to zero. This side-effect has been made
configurable with a system property,
org.apache.el.parser.COERCE_TO_ZERO which defaults to
true. Patch provided by Nils Eckert. (markt)

43343: Correctly handle requesting a session we are in the
middle of persisting. Based on a suggestion by Wade Chandler. (markt)

44562: HEAD requests cannot use includes. Patch provided by
David Jencks. (markt)

44595: Add possibility to request the QueueSize of an
executor via JMX. (jfclere)

Fix CGI Servlet so it correctly reads the environment variables on
Vista. (markt)

44611: DirContextURLConnection didn't implement
getHeaderFields(), getHeaderField(String name) was case sensitive and
returned "" rather than null for header values that did not exist. Patch
provided by Chris Hubick. (markt)

44633: Provide a more helpful error message if a class can't
be loaded due to a version error. (rjung/markt)

44646: Correct various issues, including an ISE, in
CometConnectionManagerValve. (markt)

45015: You can't use an unescaped quote if you quote the
value with that character. (markt/fhanik)

Add HTML filtering of error messages for included resources in case the
app has tried to include an unsafe URL that does not exist. This is
really an app responsibility but the filtering has been added for XSS
safety. (markt)

Update commons-logging to version 1.1.1 and the NSIS installer to 2.34.
(markt)

Update to commons-pool version 1.4, native version 1.1.12 and update
the download location for the commons libraries. (markt)

Change chunked input parsing, always parse CRLF directly after a chunk has been
received, except if data is not available. If data is not available for CRLF
parsing, we run into BZ 11117, and must defer the parsing of CRLF to the next read event.
This fixes the incorrect blocking when using CometProcessor and the draining data during the READ event
where it before would block incorrectly waiting for the next chunk (fhanik)

The CometProcessor interface now extends the javax.servlet.Servlet interface(fhanik)

Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt)

Fix handling of CometEvent.close when called during BEGIN event (fhanik)

43594: Use setenv from CATALINA_BASE (if set) in preference
to the one in CATALINA_HOME. Patch provided by Shaddy Baddah.
(markt/jim)

Cookie handling/parsing changes!
The following behavior has been changed with regards to Tomcat's cookie handling
a) Cookies containing control characters, except 0x09(HT), are rejected using an InvalidArgumentException
b) If cookies are not quoted, they will be quoted if they contain tspecials(ver0), tspecials2(ver1) characters
c) Escape character '\\' is allowed and respected as a escape character, will be unescaped during parsing

Cookie parsing of $Version regression from 6.0.15 has been fixed

The script that builds the windows installer was including additional
files due to the way it processes recurrsive file selectors. The
selectors have been modified to only include the intended files. (markt)

43435: Don't iterate and relocate sessions if they are not part of the map.

43356: Keystore parameter is relative to CATALINA_BASE,
Truststore is either defined as parameter, javax.net.ssl.trustStore or if empty
defaults to the keystore.
SSL Client cert authentication changed from boolean to "true|false|want" (fhanik)

30949: Improve previous fix. Ensure requests are re-cycled
on cross-context includes and forwards when an exception occurs in the
target page. (markt)

42944: Correctly handle servlet mappings that use a '+'
character as part of the url pattern. (markt)

42951: Don't use CATALINA_OPTS when stopping Tomcat. This
allows options for starting and stopping to be set on JAVA_OPTS and
options for starting only to be set on CATALINA_OPTS. Without this
fix, some startup options (eg the port for remote JMX) would cause
stop to fail. Based on a fix suggested by Michael Vorburger.
Port of r454193 (36976) from Tomcat 5.5.x. (markt,rjung)

Fixed NIO memory leak caused by the NioChannel cache not working properly.

Added flag to enable/disable the usage of the pollers selector instead of a Selector pool
when the serviet is reading/writing from the input/output streams
The flag is -Dorg.apache.tomcat.util.net.NioSelectorShared=true

Requests with multiple content-length headers are now rejected. (markt)

41217: Set secure attribute on SSO cookie when cookie is
created during a secure request. Patch provided by Chris Halstead.
(markt)

40524: HttpServletRequest.getAuthType() now returns
CLIENT_CERT rather than CLIENT-CERT for certificate authentication
as per the spec. Note that web.xml continues to use CLIENT-CERT to
specify the certificate authentication should be used. (markt)

41401: Add support for JPDA_OPTS to catalina.bat and add a
JPDA_SUSPEND environment variable to both startup scripts. Patch
provided by Kurt Roy. (markt)

Use the tomcat-native-1.1.10 as recommended version.
OpenSSL detection on some platforms was broken 1.1.8 will continue to work,
although on some platforms there can be JVM crash if IPV6 is enabled and
platform doesn't support IPV4 mapped addresses on IPV6 sockets.